diff --git a/ChangeLog b/ChangeLog index 59a9604394..bf4766d93b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,119 @@ Mbed TLS ChangeLog (Sorted per branch, date) += Mbed TLS 3.6.6 branch released 2026-03-31 + +Features + * The automatic computation of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE has + been improved to take into account the following key types: + asymmetric keys, ciphers, AEADs, CMAC and HMAC. + * The device for reading entropy on platforms without a dedicated system + call can now be configured with MBEDTLS_PLATFORM_DEV_RANDOM or + mbedtls_platform_dev_random. + * Applications can use the new functions psa_random_reseed() to + request an immediate reseed of the PSA random generator, or + psa_random_deplete() to force a reseed on the next random generator call. + * Applications can call psa_random_set_prediction_resistance() to toggle + prediction resistance in the PSA random generator. + +Security + * The documentation of mbedtls_ssl_session_save(), + mbedtls_ssl_session_load(), mbedtls_ssl_context_save(), and + mbedtls_ssl_context_load() has been updated to clarify the responsibility + of the application to preserve the confidentiality and integrity of + serialized data, mitigating the risk of misuse of these APIs. + Credit to Haruto Kimura (Stella) and Eva Crystal (0xiviel) for + highlighting risks associated with tampered serialized data. + * The default device for reading entropy on platforms without a dedicated + system call is now /dev/random instead of /dev/urandom. This is safer + on Linux in case the application runs early after the kernel boots, + but may block needlessly on Linux <= 5.6. Reported by supers1ngular + (BayLibre). + * Fix missing validation of the peer's key in key agreement operations using + PSA_ALG_FFDH: low-order elements were not rejected as they should be. This + is a problem for protocols using FFDH that expect contributory behaviour, + that is, where neither party should be able to force the shared secret + into a small set. Reported independently by Eva Crystal (0xiviel) and ++ another reporter. + * Add tag length validation in mbedtls_ccm_finish() to prevent + out-of-bounds reads and mitigate potential application buffer + overflows where applications relied on the library to enforce + tag length constraints. + Reported by Eva Crystal (0xiviel). + * Fix a NULL pointer dereference in mbedtls_x509_string_to_names() when + mbedtls_calloc() fails to allocate memory. This was caused by failing to + check whether mbedtls_calloc() returned NULL. Found and reported by + Haruto Kimura (Stella). + * Fix a buffer overflow in psa_export_public_key() for FFDH keys when the + output buffer is too small. Found by Haruto Kimura (Stella). + * Fix a limited buffer underflow in x509_inet_pton_ipv6(). In rare cases + (e.g. on platforms with memory protection when the overread crosses page + boundary) this could lead to DoS. Found and reported by Haruto Kimura + (Stella). CVE-2026-25833 + * If an application called psa_crypto_init() then fork() and continued to + use cryptography APIs (possibly indirectly, e.g. for TLS), the random + generator states were duplicated. Fix this by forcing a RNG reseed in + the child process. CVE-2026-25835 + * Applications running in environments where the application state is + cloned (for example due to resuming a frozen system state multiple + times, or due to cloning a virtual machine image) should arrange to + reseed the random generator using one of the new functions + psa_random_reseed() or psa_random_deplete(). CVE-2026-25835 + * Fix a bug in the TLS 1.2 client's signature algorithm check, which caused + the client to accept server key exchange messages signed with a signature + algorithm explicitly disallowed by the client. Found and reported by + EFR-GmbH and M. Heuft of Security-Research-Consulting GmbH. CVE-2026-25834 + * Fixed an issue in TLS 1.3 server handling of the second ClientHello, after + sending a HelloRetryRequest message. A man-in-the-middle attacker could + force a TLS 1.3 session resumption using a ticket to fall back to an + unintended TLS 1.2 session resumption with an all-zero master secret. + This could result in client authentication being bypassed and allow client + impersonation. + Found and reported by Jaehun Lee, Pohang University of Science and + Technology (POSTECH). + +Bugfix + * Appease GCC 14.3's array bounds checker by inserting checks in mbedtls_xor + that bail before the byte-at-a-time loop when the array size is a constant + (using MBEDTLS_HAS_BUILTIN) and an exact multiple of the larger loop size. + * CMake now installs headers to `CMAKE_INSTALL_INCLUDEDIR` instead of the + hard-coded `include` directory. + * Prevent loading of peristent keys whose key ID belong to the volatile + range. + * Partially fix a performance regression in RSA operations introduced by a + security fix in 3.6.5, by improving the performance of RSA private key + operations when MBEDTLS_RSA_NO_CRT is disabled, which is the default. + * Fix compilation errors in `aesce.c` in some Visual Studio builds. + Fixes Mbed-TLS/TF-PSA-Crypto#548. + * Fix a build failure with MinGW when the __USE_MINGW_ANSI_STDIO option + is set. This was caused by the wrong format specifier being used to + print long long values (MBEDTLS_PRINTF_LONGLONG). + * Fix a bug that caused GCM tag calculations to fail, so that data was + correctly encrypted but could not be authenticated. The bug was only + observed with GCC 10.0 to 14.2 inclusive, when compiling with -O3, and + running without AESNI or AESCE. + Fixes #665. + * Fix a build failure with dietlibc. + * Support re-assembly of fragmented DTLS 1.2 ClientHello in Mbed TLS server. + * Support re-assembly of fragmented TLS 1.2 ClientHello in Mbed TLS server + even if TLS 1.3 support is disabled. This removes the main limitation on + support for re-assembly of fragmented handshake messages in TLS 1.2. + * Some functions in PK were using large buffers (around 2KB in the default + configuration) on the stack, which was a problem in environments with a + small stack. Those buffers are now allocated on the heap, except in + configurations where ECC is the only supported key type in PK, making PK + still independent of the heap in such configurations (if the ECC driver + itself is not using the heap). Fixes #476. + +Changes + * Add casts to some Enums to remove compiler errors thrown by IAR 6.5. + Removes Warning "mixed ENUM with other type". + * Tweak the detection of Unix-like platforms, which makes more system + interfaces (timing, threading) available on Haiku, QNX and Midipix. + * Harden mbedtls_ssl_get_verify_result() against misuse. + If the handshake has not yet been attempted, return -1u to indicate + that the result is not available. Previously the result of verification + was zero-initialized so the function would return 0 (indicating success). + = Mbed TLS 3.6.5 branch released 2025-10-15 API changes diff --git a/ChangeLog.d/aesce-include.txt b/ChangeLog.d/aesce-include.txt deleted file mode 100644 index bda1188bea..0000000000 --- a/ChangeLog.d/aesce-include.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Fix compilation errors in `aesce.c` in some Visual Studio builds. - Fixes Mbed-TLS/TF-PSA-Crypto#548. diff --git a/ChangeLog.d/context_load_and_session_load_documentation.txt b/ChangeLog.d/context_load_and_session_load_documentation.txt deleted file mode 100644 index dbbbda1fea..0000000000 --- a/ChangeLog.d/context_load_and_session_load_documentation.txt +++ /dev/null @@ -1,8 +0,0 @@ -Security - * The documentation of mbedtls_ssl_session_save(), - mbedtls_ssl_session_load(), mbedtls_ssl_context_save(), and - mbedtls_ssl_context_load() has been updated to clarify the responsibility - of the application to preserve the confidentiality and integrity of - serialized data, mitigating the risk of misuse of these APIs. - Credit to Haruto Kimura (Stella) and Eva Crystal (0xiviel) for - highlighting risks associated with tampered serialized data. diff --git a/ChangeLog.d/dev-random.txt b/ChangeLog.d/dev-random.txt deleted file mode 100644 index eff1352354..0000000000 --- a/ChangeLog.d/dev-random.txt +++ /dev/null @@ -1,11 +0,0 @@ -Features - * The device for reading entropy on platforms without a dedicated system - call can now be configured with MBEDTLS_PLATFORM_DEV_RANDOM or - mbedtls_platform_dev_random. - -Security - * The default device for reading entropy on platforms without a dedicated - system call is now /dev/random instead of /dev/urandom. This is safer - on Linux in case the application runs early after the kernel boots, - but may block needlessly on Linux <= 5.6. Reported by supers1ngular - (BayLibre). diff --git a/ChangeLog.d/dtls-client-hello-defragmentation.txt b/ChangeLog.d/dtls-client-hello-defragmentation.txt deleted file mode 100644 index f5ff0b754c..0000000000 --- a/ChangeLog.d/dtls-client-hello-defragmentation.txt +++ /dev/null @@ -1,5 +0,0 @@ -Bugfix - * Support re-assembly of fragmented DTLS 1.2 ClientHello in Mbed TLS server. - * Support re-assembly of fragmented TLS 1.2 ClientHello in Mbed TLS server - even if TLS 1.3 support is disabled. This removes the main limitation on - support for re-assembly of fragmented handshake messages in TLS 1.2. diff --git a/ChangeLog.d/ffdh-peerkey-check.txt b/ChangeLog.d/ffdh-peerkey-check.txt deleted file mode 100644 index 2c0c9c2fab..0000000000 --- a/ChangeLog.d/ffdh-peerkey-check.txt +++ /dev/null @@ -1,7 +0,0 @@ -Security - * Fix missing validation of the peer's key in key agreement operations using - PSA_ALG_FFDH: low-order elements were not rejected as they should be. This - is a problem for protocols using FFDH that expect contributory behaviour, - that is, where neither party should be able to force the shared secret - into a small set. Reported independently by Eva Crystal (0xiviel) and -+ another reporter. diff --git a/ChangeLog.d/fix-ccm-finish.txt b/ChangeLog.d/fix-ccm-finish.txt deleted file mode 100644 index cee7cc5e06..0000000000 --- a/ChangeLog.d/fix-ccm-finish.txt +++ /dev/null @@ -1,6 +0,0 @@ -Security - * Add tag length validation in mbedtls_ccm_finish() to prevent - out-of-bounds reads and mitigate potential application buffer - overflows where applications relied on the library to enforce - tag length constraints. - Reported by Eva Crystal (0xiviel). diff --git a/ChangeLog.d/fix-mingw-ansi-stdio.txt b/ChangeLog.d/fix-mingw-ansi-stdio.txt deleted file mode 100644 index d9293d95ca..0000000000 --- a/ChangeLog.d/fix-mingw-ansi-stdio.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Fix a build failure with MinGW when the __USE_MINGW_ANSI_STDIO option - is set. This was caused by the wrong format specifier being used to - print long long values (MBEDTLS_PRINTF_LONGLONG). diff --git a/ChangeLog.d/fix-null-pointer-dereference.txt b/ChangeLog.d/fix-null-pointer-dereference.txt deleted file mode 100644 index 1dd7d61905..0000000000 --- a/ChangeLog.d/fix-null-pointer-dereference.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a NULL pointer dereference in mbedtls_x509_string_to_names() when - mbedtls_calloc() fails to allocate memory. This was caused by failing to - check whether mbedtls_calloc() returned NULL. Found and reported by - Haruto Kimura (Stella). diff --git a/ChangeLog.d/fix-psa-ffdh-buffer-overflow.txt b/ChangeLog.d/fix-psa-ffdh-buffer-overflow.txt deleted file mode 100644 index 5a0536575a..0000000000 --- a/ChangeLog.d/fix-psa-ffdh-buffer-overflow.txt +++ /dev/null @@ -1,3 +0,0 @@ -Security - * Fix a buffer overflow in psa_export_public_key() for FFDH keys when the - output buffer is too small. Found by Haruto Kimura (Stella). diff --git a/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt b/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt deleted file mode 100644 index bb04efcf2b..0000000000 --- a/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt +++ /dev/null @@ -1,4 +0,0 @@ -Features - * The automatic computation of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE has - been improved to take into account the following key types: - asymmetric keys, ciphers, AEADs, CMAC and HMAC. diff --git a/ChangeLog.d/gcc-14.3.txt b/ChangeLog.d/gcc-14.3.txt deleted file mode 100644 index b82d67e51c..0000000000 --- a/ChangeLog.d/gcc-14.3.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Appease GCC 14.3's array bounds checker by inserting checks in mbedtls_xor - that bail before the byte-at-a-time loop when the array size is a constant - (using MBEDTLS_HAS_BUILTIN) and an exact multiple of the larger loop size. diff --git a/ChangeLog.d/gnuinstalldirs_include.txt b/ChangeLog.d/gnuinstalldirs_include.txt deleted file mode 100644 index 7e0782d1e1..0000000000 --- a/ChangeLog.d/gnuinstalldirs_include.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * CMake now installs headers to `CMAKE_INSTALL_INCLUDEDIR` instead of the - hard-coded `include` directory. diff --git a/ChangeLog.d/iar-6.5fs.txt b/ChangeLog.d/iar-6.5fs.txt deleted file mode 100644 index 63e903b9c3..0000000000 --- a/ChangeLog.d/iar-6.5fs.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Add casts to some Enums to remove compiler errors thrown by IAR 6.5. - Removes Warning "mixed ENUM with other type". diff --git a/ChangeLog.d/inet_pton.txt b/ChangeLog.d/inet_pton.txt deleted file mode 100644 index 73b9aa6b19..0000000000 --- a/ChangeLog.d/inet_pton.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a limited buffer underflow in x509_inet_pton_ipv6(). In rare cases - (e.g. on platforms with memory protection when the overread crosses page - boundary) this could lead to DoS. Found and reported by Haruto Kimura - (Stella). CVE-2026-25833 diff --git a/ChangeLog.d/issue488.txt b/ChangeLog.d/issue488.txt deleted file mode 100644 index 77cbe2d5e3..0000000000 --- a/ChangeLog.d/issue488.txt +++ /dev/null @@ -1,3 +0,0 @@ -Bugfix - * Prevent loading of peristent keys whose key ID belong to the volatile - range. diff --git a/ChangeLog.d/issue665.txt b/ChangeLog.d/issue665.txt deleted file mode 100644 index 7d3da9ebce..0000000000 --- a/ChangeLog.d/issue665.txt +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix - * Fix a bug that caused GCM tag calculations to fail, so that data was - correctly encrypted but could not be authenticated. The bug was only - observed with GCC 10.0 to 14.2 inclusive, when compiling with -O3, and - running without AESNI or AESCE. - Fixes #665. diff --git a/ChangeLog.d/pk-large-stack-buffers.txt b/ChangeLog.d/pk-large-stack-buffers.txt deleted file mode 100644 index 78a66a4519..0000000000 --- a/ChangeLog.d/pk-large-stack-buffers.txt +++ /dev/null @@ -1,7 +0,0 @@ -Bugfix - * Some functions in PK were using large buffers (around 2KB in the default - configuration) on the stack, which was a problem in environments with a - small stack. Those buffers are now allocated on the heap, except in - configurations where ECC is the only supported key type in PK, making PK - still independent of the heap in such configurations (if the ECC driver - itself is not using the heap). Fixes #476. diff --git a/ChangeLog.d/rng-cloning.txt b/ChangeLog.d/rng-cloning.txt deleted file mode 100644 index 6f68d26bb8..0000000000 --- a/ChangeLog.d/rng-cloning.txt +++ /dev/null @@ -1,18 +0,0 @@ -Features - * Applications can use the new functions psa_random_reseed() to - request an immediate reseed of the PSA random generator, or - psa_random_deplete() to force a reseed on the next random generator call. - * Applications can call psa_random_set_prediction_resistance() to toggle - prediction resistance in the PSA random generator. - -Security - * If an application called psa_crypto_init() then fork() and continued to - use cryptography APIs (possibly indirectly, e.g. for TLS), the random - generator states were duplicated. Fix this by forcing a RNG reseed in - the child process. CVE-2026-25835 - * Applications running in environments where the application state is - cloned (for example due to resuming a frozen system state multiple - times, or due to cloning a virtual machine image) should arrange to - reseed the random generator using one of the new functions - psa_random_reseed() or psa_random_deplete(). CVE-2026-25835 - diff --git a/ChangeLog.d/rsa-private-perf.txt b/ChangeLog.d/rsa-private-perf.txt deleted file mode 100644 index c7893032c6..0000000000 --- a/ChangeLog.d/rsa-private-perf.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bugfix - * Partially fix a performance regression in RSA operations introduced by a - security fix in 3.6.5, by improving the performance of RSA private key - operations when MBEDTLS_RSA_NO_CRT is disabled, which is the default. diff --git a/ChangeLog.d/sig_algs_check.txt b/ChangeLog.d/sig_algs_check.txt deleted file mode 100644 index b0aed6dfd3..0000000000 --- a/ChangeLog.d/sig_algs_check.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fix a bug in the TLS 1.2 client's signature algorithm check, which caused - the client to accept server key exchange messages signed with a signature - algorithm explicitly disallowed by the client. Found and reported by - EFR-GmbH and M. Heuft of Security-Research-Consulting GmbH. CVE-2026-25834 diff --git a/ChangeLog.d/tls12-2nd-client-hello.txt b/ChangeLog.d/tls12-2nd-client-hello.txt deleted file mode 100644 index 7513e0b945..0000000000 --- a/ChangeLog.d/tls12-2nd-client-hello.txt +++ /dev/null @@ -1,9 +0,0 @@ -Security - * Fixed an issue in TLS 1.3 server handling of the second ClientHello, after - sending a HelloRetryRequest message. A man-in-the-middle attacker could - force a TLS 1.3 session resumption using a ticket to fall back to an - unintended TLS 1.2 session resumption with an all-zero master secret. - This could result in client authentication being bypassed and allow client - impersonation. - Found and reported by Jaehun Lee, Pohang University of Science and - Technology (POSTECH). diff --git a/ChangeLog.d/unistd.txt b/ChangeLog.d/unistd.txt deleted file mode 100644 index 84afdc315f..0000000000 --- a/ChangeLog.d/unistd.txt +++ /dev/null @@ -1,6 +0,0 @@ -Changes - * Tweak the detection of Unix-like platforms, which makes more system - interfaces (timing, threading) available on Haiku, QNX and Midipix. - -Bugfix - * Fix a build failure with dietlibc. diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt deleted file mode 100644 index 2cf3f0c21b..0000000000 --- a/ChangeLog.d/verify-result-default-value.txt +++ /dev/null @@ -1,5 +0,0 @@ -Changes - * Harden mbedtls_ssl_get_verify_result() against misuse. - If the handshake has not yet been attempted, return -1u to indicate - that the result is not available. Previously the result of verification - was zero-initialized so the function would return 0 (indicating success).